Short Answer
The four core pillars of AI literacy: hallucination awareness (the model can look confident yet produce something false, so citations and data must always be verified), privacy (each platform has a different data flow, and a paid, KVKK-compliant plan is mandatory for sensitive content), copyright (training data lawsuits are an open matter, and the copyright status of output varies by country), and ethical limits (it should not replace human judgment, and critical decision support must always be supervised). Since 2025 the EU AI Act has imposed strict rules on the high-risk category; in Turkey, the KVKK framework plus the 2026 Turkish Data Protection Strategy roadmap apply. A responsible user is a user who knows these four pillars.
Serteser Consulting offers AI literacy training, KVKK-compliant usage protocols, risk assessment, and ethical policy design for individuals and organizations. With a research infrastructure that manages PROSPERO-registered systematic reviews (Hip OA CRD420261324092, Knee OA CRD420261298163) and publishes in an international peer-reviewed journal, it provides practical support for the responsible and efficient use of artificial intelligence.
Why AI literacy is necessary
Using AI is different from searching on Google. Google shows known sources; AI generates. During generation it can hallucinate, its privacy flow is uncertain, copyright enters a gray area, and there are ethical question marks.
As of 2026, AI literacy is a subtopic of digital literacy: just as we learned to write email, we must learn to build prompts, recognize fake content, and understand the copyright line. This article covers four core pillars: hallucination, privacy, copyright, and ethics.
Pillar 1: Hallucination
An LLM is a "word prediction machine". It generates the most probable next word. It has no engine that checks for accuracy. In other words, an academic citation that never existed, such as "Smith et al., 2018, Lancet 392:1234", can look perfectly clean yet be fabricated.
Types of hallucination:
- Citation hallucination. Fake article, fake author, fake DOI. The most dangerous one in academic use.
- Fact hallucination. The "Ataturk was born in Istanbul in 1881" type. Rare for common knowledge, frequent for niche knowledge.
- Computation hallucination. A wrong number in a mathematical or legal calculation. Modern models (Claude Opus 4.7, GPT-5 reasoning) are noticeably better but it still occurs.
- Source misattribution. Correct information but attributed to the wrong person or place.
- Imaginary code function. A nonexistent API endpoint, a nonexistent library function.
How to reduce hallucination:
- RAG (Retrieval Augmented Generation): Add a source document to the model and tell it to "generate only from this document"
- Web search plugin: Perplexity, Claude web search, and ChatGPT web search pull live sources
- Tool use: A Python tool for computation, a PubMed tool for citations
- Low temperature: Lower creativity, more consistent output
- A "say I don't know if you don't know" system prompt: Steer the model to stop when it is uncertain
How to catch hallucination:
- Manually verify every citation (Google Scholar, PubMed)
- Confirm numbers with a second model or a calculator
- Always have a second human eye on critical decisions
- When using tools or agents, check the logs to confirm it actually performed the search
Pillar 2: Privacy and data flow
Each platform has a different data flow. The question "what happens if I paste a work document into a free model" is critical.
Data flow categories:
A. Free tiers (ChatGPT free, Gemini free, Claude free): Data may be used for default model training. Opt-out exists but the default is on. Do not put sensitive business data in.
B. Paid subscription (Plus, Pro, Advanced): Not used for training (off by default). 30-day abuse monitoring. Safer, but corporate sensitive data still requires a DPA.
C. Enterprise / API: The Anthropic and OpenAI APIs do not use data for training. Enterprise plans have a Zero Data Retention (ZDR) option where not even logs are kept. A DPA can be signed.
D. Self-hosted (Llama, Mistral on-prem): Data never leaves your machine. Full control for KVKK plus sectoral regulation.
Practical table:
| Data type | Recommended plan |
|---|---|
| General research, personal | Free tiers OK |
| Business emails, reports | Paid subscription |
| Customer PII, contracts | Enterprise + DPA |
| Patient data, clinical records | Self-hosted or ZDR + DPA |
| State secrets, financially sensitive | Self-hosted only |
KVKK framework:
- Before giving personal data (name, email, phone) to AI: either obtain explicit consent, or anonymize it on a legitimate interest basis
- For patient data (special category), explicit consent + DPA + cross-border transfer approval
- Under Turkish law, some data cannot leave the country (for example, certain public personnel records)
The most frequent mistake for corporate users: Pasting a strategy document into ChatGPT free. Putting a contract draft into Claude. Uploading patient information into Gemini. These three are as practical as they are common, and all of them carry KVKK, legal, and employer risk.
Pillar 3: Copyright
Copyright is AI's murkiest area. Two separate layers:
Layer A: Training data
Were the models trained with copyrighted content? Short answer: yes, largely. This is the subject of legal litigation. Major lawsuits filed between 2023 and 2026:
- NYT vs OpenAI/Microsoft (ongoing)
- Getty Images vs Stability AI
- Author groups vs Anthropic (partial settlement)
- Music labels vs Suno/Udio
US courts are closing some cases in AI's favor on the "transformative use" principle, while others continue against AI. The EU AI Act has made training data transparency mandatory.
Layer B: Copyright of AI output
Who owns content produced by AI?
- US (USPTO 2023 decision): Content produced solely by AI cannot receive copyright. How much human creativity is involved matters.
- EU (undecided): No clear rule yet; there are regulations expected to become clearer in 2026.
- Turkey: No clarity from an intellectual and industrial property standpoint; "human creativity" is a requirement under Law No. 5846. AI output likely cannot receive copyright, but if there is user creativity (prompt + edit) it becomes a mixed situation.
Practical recommendations:
- If you use AI output for publication, always add serious human revision
- For a logo, brand, or product name, do not register AI output as is; run it through a designer and add a human-creativity layer
- If you produce work for a client, state in the contract that you used AI
- Disclose AI use in academic papers (the ICMJE/Vancouver framework)
Pillar 4: Ethical limits
The ethical framework for AI use is still maturing. However, the following limits are becoming a practical standard:
Red lines (unavoidable prohibition):
- Producing fake content and presenting it as real (deepfake, AI generated false review)
- Passing off a chatbot as a human to deceive a person (EU AI Act: disclosing that it is AI is mandatory)
- Delegating a sensitive decision (health diagnosis, legal outcome, credit decision) to AI on its own
- Producing copied output from copyrighted content and presenting it as your own
- Manipulative AI content aimed at children or vulnerable people
Yellow lines (under supervision):
- AI use for professional consulting (legal, medical) requires expert oversight
- Education sector (a student having AI do their homework) depends on the educational institution's policy
- HR / hiring decision support, bias risk, manual approval mandatory
- Marketing content production, disclosure is debated, at minimum quality control
Green lines (comfortable use):
- Personal productivity (email, summary, planning)
- Education and learning (concept explanation, Q&A)
- Creative brainstorming
- Routine business automation (supervised)
- General research and comparison
Regulatory framework (2026)
EU AI Act (in force 2025):
- High-risk AI systems (health, critical infrastructure, education, hiring): certification, audit, documentation
- Transparency: disclosure that it is AI, disclosure of training data
- General Purpose AI (such as GPT, Claude, Gemini): minimum requirements
- Penalties up to 7% of annual turnover
US (uncertain at the federal level, state-based):
- California and New York have issued sectoral AI regulations
- FDA has a separate path for medical AI
- The SEC has guidance on AI use in financial services
Turkey:
- Personal data processing under KVKK
- The 2026 Turkish Data Protection Strategy is producing additional guidance on AI use
- The Ministry of Health has launched registration and approval processes for medical AI
- The Presidency's Digital Transformation Office published an AI policy document in 2024-2025
Sectoral regulators:
- TITCK: AI software as a medical device
- BDDK: AI in banking decisions
- SPK: AI in investment advisory
- RTUK: AI content in broadcasting
Risk checklist for the individual user
A 60-second check before every AI use:
- Is there sensitive data? If so, which plan am I using?
- Will I verify the output before using it?
- Do I need to disclose that I used AI (academic, client work)?
- Is there a copyright issue? (for images, for code)
- Is there an ethical red line? (deepfake, fake content, critical decision)
- If I share this output, what is my KVKK / legal responsibility?
Three common mistakes
Mistake 1: "AI wrote it, so I trust it". Assuming the citation is right, assuming the number is right. Hallucination can always happen; verification is always necessary.
Mistake 2: Pasting sensitive data into a free tier. Once pasted, it cannot be taken back. If you handle sensitive work, use at least a paid subscription.
Mistake 3: Leaving a critical decision to AI. "The AI said so" does not remove responsibility. Making a legal, medical, or financial decision with AI alone is both an ethical and a legal problem.
Serteser Consulting for AI literacy
AI literacy training and risk control for individuals and organizations is a practical investment. Serteser Consulting offers:
- Individual AI literacy training (2-4 hour workshop)
- Corporate AI policy design (usage rules, red lines)
- KVKK-compliant usage protocol
- Ethical risk assessment and audit
- Sectoral regulatory compliance (health, finance, legal)
- Employee awareness programs
In a free 15-minute introductory meeting, we map out your usage profile and risk landscape. Focused on knowledge transfer, not on sales.
To fit AI into your own workflow, you can look into the individual mentoring option.